Article Details

Salt Typhoon used dozens of domains, going back five years. Did you visit one?. Plus ties to the Chinese spies who hacked Barracuda email gateways. Security researchers have uncovered dozens of domains used by Chinese espionage crew Salt Typhoon to gain stealthy, long-term access to victim organizations going back as far as 2020. In a Monday report, threat intelligence firm Silent Push said it had found 45 domains, the majority of which were previously unreported, that it has linked to Salt Typhoon or UNC4841, a similar group. Salt Typhoon is the People's Republic of China spying gang that hacked America's major telecommunications firms and stole metadata and other information belonging to "nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions. UNC4841 is best known for a series of 2023 attacks that targeted CVE-2023-2868, a critical bug in some Barracuda Email Security Gateways, to deploy custom malware and maintain access to high-value networks, about a third of which belonged to government organizations. The threat researchers note that key domain registration patterns in Salt Typhoon's previously-reported command and control (C2) infrastructure helped them uncover the new domain names, several of which shared the same registrant - "almost certainly fake" personas including "Shawn Francis," "Monica Burch," and "Tommie Arnold," most using ProtonMail email addresses, and all of whom purportedly live in the US and have physical addresses that don't exist. Interestingly, one of the domains appears to be a Hong Kong newspaper: newhkdaily[.]com. "Whether this is an impersonation of a Hong Kong media source with which we are unfamiliar, a Psychological Operation (PSYOP) campaign, or simply a propaganda front is unclear at this time," the researchers said. Silent Push also identified nine domains linked to UNC4841 and noted several of these appear in Barracuda's ESG vulnerability documentation as associated with the hack. Researchers recommend defenders check their telemetry and historic logs against these newly-identified domains, the oldest of which was registered in May 2020, along with a list of low-density IP addresses observed in the DNS A records for all of these Salt Typhoon-related domains, and use these lists as hunting tools to help boot Chinese spies off of critical networks. "Silent Push believes all domains associated with Salt Typhoon and UNC4841 present a significant level of risk," the report says. "Proactive measures are crucial in defending against this evolving threat." The timing of when these were registered also supports earlier indications that Salt Typhoon has been active since at least 2019, although its telecom hacking activities didn't come to light until last year.